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Abstract 

We  explore  the  correctness  of  the  Certihed  Propagation  Algorithm  (CPA) 
[6,  1,  8,  5]  in  solving  broadcast  with  locally  bounded  Byzantine  faults.  CPA 
allows  the  nodes  to  use  only  local  information  regarding  the  network  topology. 
We  provide  a  tight  necessary  and  sufficient  condition  on  the  network  topology 

for  the  correctness  of  CPA. 
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1.  Introduction 

In  this  work,  we  explore  fault-tolerant  broadcast  with  locally  bounded 
Byzantine  faults  in  synchronous  point-to-point  networks.  We  assume  a  /- 
locally  bounded  model,  in  which  at  most  /  Byzantine  faults  occur  in  the 
neighborhood  of  every  fault- free  node  [6].  In  particular,  we  are  interested 
in  the  necessary  and  sufficient  condition  on  the  underlying  communication 
network  topology  for  the  correctness  of  the  Certihed  Propagation  Algorithm 
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(CPA)  ~  the  CPA  algorithm  has  been  analyzed  in  prior  work  [6,  1,  8,  5,  7]. 

Problem  Formulation.  Consider  an  arbitrary  directed  network  of  n  nodes. 
One  node  in  the  network,  called  the  source  (s),  is  given  an  initial  input, 
which  the  source  node  needs  to  transmit  to  all  the  other  nodes.  The  source 
s  is  assumed  to  be  fault-free.  We  say  that  CPA  is  correct,  if  it  satishes  the 
following  properties,  where  Xg  denotes  the  input  at  source  node  s: 

•  Termination:  every  fault-free  node  i  eventually  decides  on  an  output 
value  Hi. 

•  Validity:  for  every  fault-free  node  i,  its  output  value  Ui  equals  the 
source’s  input,  i.e.,  yi  =  Xg. 

We  study  the  condition  on  the  network  topology  for  the  correctness  of  CPA. 

Related  Work.  Several  researchers  have  addressed  CPA  problem.  [6]  stud¬ 
ied  the  problem  in  an  inhnite  grid.  [1]  developed  a  sufficient  condition  in 
the  context  of  arbitrary  network  topologies,  but  the  sufficient  condition  pro¬ 
posed  is  not  tight.  [8]  provided  necessary  and  sufficient  conditions,  but  the 
two  conditions  are  not  identical  (not  tight).  [5]  provided  another  condition 
that  can  approximate  (within  a  factor  of  2)  the  largest  /  for  which  CPA  is 
correct  in  a  given  graph.  Independently,  [7]  presented  the  tight  condition  in 
undirected  graphs.  Similar  condition  under  other  contexts  are  also  discovered 
by  other  researchers  [9,  3].  Please  refer  to  [11]  for  more  discussions. 

System  Model.  The  synchronous  communication  network  consisting  of  n  nodes 
including  source  node  s  is  modeled  as  a  simple  directed  graph  G(V,  £),  where 
V  is  the  set  of  n  nodes,  and  £  is  the  set  of  directed  edges  between  the  nodes 
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in  V.  Node  i  can  transmit  messages  to  another  node  j  if  and  only  if  the 
directed  edge  (f,  j)  is  in  £.  Each  node  can  transmit  messages  to  itself  as  well; 
however,  for  convenience,  we  exclude  self-loops  from  set  £.  That  is,  (f,  i)  ^  S 
for  i  G  V.  All  the  links  (i.e.,  communication  channels)  are  assumed  to  be 
point-to-point,  reliable,  FIFO  (first-in  first-out)  and  deliver  each  transmitted 
message  exactly  once.  With  a  slight  abuse  of  terminology,  we  will  use  the 
terms  edge  and  link  interchangeably. 

For  each  node  i,  let  N~  be  the  set  of  nodes  from  which  i  has  incoming 
edges,  i.e.,  N~  =  { j  |  {j,i)  E  £}.  Similarly,  dehne  as  the  set  of  nodes 
to  which  node  i  has  outgoing  edges,  i.e.,  =  { j  I  (b j)  E  £}.  Nodes  in 

N~  and  are,  respectively,  said  to  be  incoming  and  outgoing  neighbors  of 
node  i.  Since  we  exclude  self-loops  from  T,  f  ^  N~  and  i  ^  .  However, 

we  note  again  that  each  node  can  indeed  transmit  messages  to  itself. 

We  consider  the  /-local  fault  model,  with  at  most  /  incoming  neighbors 
of  any  fault-free  node  becoming  faulty.  [6,  1,  8,  5,  7]  also  explored  this  fault 
model.  Yet,  to  the  best  of  our  knowledge,  the  tight  necessary  and  sufficient 
conditions  for  the  correctness  of  CPA  in  direeted  networks  under  /-local  fault 
model  have  not  been  developed  previously. 

2.  Feasibility  of  CPA  under  /-local  fault  model 

Certified  Propagation  Algorithm  ( CPA ).  We  first  describe  the  Certihed  Prop¬ 
agation  Algorithm  (CPA)  from  [6]  formally.  Note  that  the  faulty  nodes 
may  deviate  from  this  specihcation  arbitrarily.  Possible  misbehavior  includes 
sending  incorrect  and  mismatching  messages  to  different  outgoing  neighbors. 

Source  node  s  commits  to  its  input  Xg  at  the  start  of  the  algorithm,  i.e.. 
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sets  its  output  equal  to  Xg.  The  source  node  is  said  to  have  committed  to  Xg 
in  round  0.  The  algorithm  for  each  round  r  (r  >  0),  is  as  follows: 

1.  Each  node  that  commits  in  round  r  —  1  to  some  value  x,  transmits 
message  x  to  all  its  outgoing  neighbors,  and  then  terminates. 

2.  If  any  node  receives  message  x  directly  from  source  s,  it  commits  to 
output  X. 

3.  Through  round  r,  if  a  node  has  received  messages  containing  value  x 
from  at  least  /  +  1  distinct  incoming  neighbors,  then  it  commits  to 
output  X. 

The  Necessary  Condition.  For  CPA  to  be  correct,  the  network  graph  G(V,  £) 
must  satisfy  the  necessary  condition  proved  in  this  section.  We  borrow  two 
relations  ^  and  7^  from  our  previous  paper  [12]. 

Definition  1.  For  non-empty  disjoint  sets  of  nodes  A  and  B, 

•  A  ^  B  iff  there  exists  a  node  v  E  B  that  has  at  least  /  +  1  distinct 
incoming  neighbors  in  A,  i.e.,  jA"”  fl  A|  >  /. 

•  A  ^  B  iff  A^  B  is  not  true. 

Definition  2.  Set  F  GV  is  said  to  be  a  feasible  f -local  fault  set,  if  for  each 
node  V  ^  F,  F  contains  at  most  f  incoming  neighbors  of  node  v.  That  is, 
for  every  v  eV  —  F,  |A“  fl  F|  <  /. 

We  now  derive  the  necessary  condition  on  the  network  topology. 
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Theorem  1.  Suppose  that  CPA  is  correct  in  graph  G(y,S)  under  the  f -local 
fault  model.  Let  sets  F,L,R  form  a  partition^  ofV,  such  that  (i)  source 
seL,  (ii)  R  is  non-empty,  and  (Hi)  F  is  a  feasible  f -local  fault  set.  Then 

•  L  ^  R,  or 

•  R  contains  an  outgoing  neighbor  of  s,  i.e.,  iV+  fl  i?  7^  0. 

Proof.  The  proof  is  by  contradiction.  Consider  any  partition  F,  L,  R  such 
that  s  E  L,  R  is  non-empty,  and  F  is  a  feasible  /-local  fault  set.  Suppose 
that  the  input  at  s  is  Consider  any  single  execution  of  the  CPA  algorithm 
such  that  the  nodes  in  F  behave  as  if  they  have  crashed. 

By  assumption,  CPA  is  correct  in  the  given  network  under  such  a  behavior 
by  the  faulty  nodes.  Thus,  all  the  fault-free  nodes  eventually  commit  their 
output  to  Xg.  Let  round  r  (r  >  0),  be  the  earliest  round  in  which  at  least 
one  of  the  nodes  in  R  commits  to  Xg.  Let  v  be  one  of  the  node  in  R  that 
commits  in  round  r.  Such  a  node  v  must  exist  since  R  is  non-empty,  and 
it  does  not  contain  source  node  s.  For  node  v  to  be  able  to  commit,  as  per 
specihcation  of  the  CPA  algorithm,  either  node  v  should  receive  the  message 
Xg  directly  from  the  source  s,  or  node  v  must  have  /  +  1  distinct  incoming 
neighbors  that  have  already  committed  to  Xg.  By  dehnition  of  node  v,  nodes 
that  have  committed  to  Xg  prior  to  v  must  be  outside  R]  since  nodes  in  F 
behave  as  crashed,  these  f  -\- 1  nodes  must  be  in  L.  Thus,  either  (s,n)  G  S, 
or  node  v  has  at  least  f  1  distinct  incoming  neighbors  in  set  L. 

□ 

^Sets  Xi,X2,X3,...,Xp  are  said  to  form  a  partition  of  set  X  provided  that  (i) 
Eli<i<pXi  =  X,  and  (ii)  XiD  Xj  =  ^  ii  i  A  j. 
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Sufficiency.  We  now  show  that  the  condition  in  Theorem  1  is  also  sufficient. 


Theorem  2.  If  G(y,S)  satisfies  the  condition  in  Theorem  1,  then  CPA  is 
correct  in  G(y,S)  under  the  f -local  fault  model. 

Proof.  Suppose  that  G{V,S)  satishes  the  condition  in  Theorem  1.  Let  F'  be 
the  set  of  faulty  nodes.  By  assumption,  F'  is  a  feasible  local  fault  set.  Let 
Xg  be  the  input  at  source  node  s.  We  will  show  that,  (i)  fault-free  nodes  do 
not  commit  to  any  value  other  than  Xg  (Validity),  and,  (ii)  until  all  the  fault- 
free  nodes  have  committed,  in  each  round  of  CPA,  at  least  one  additional 
fault-free  node  commits  to  value  Xg  (Termination).  The  proof  is  by  induction. 
Induction  basis:  Source  node  s  commits  in  round  0  to  output  equal  to  its 
input  Xg.  No  other  fault-free  nodes  commit  in  round  0. 

Induction:  Suppose  that  L  is  the  set  of  fault-free  nodes  that  have  committed 
to  Xg  through  round  r,  r  >  0.  Thus,  s  &  L.  Dehne  R  =  V  —  L  —  F' .  If  i?  =  0, 
then  the  proof  is  complete.  Let  us  now  assume  that  i?  7^  0. 

Now  consider  round  r  -|-  1. 

•  Validity: 

Consider  any  fault-free  node  u  that  has  not  committed  prior  to  round 
r  -|-  1  (i.e.,  u  E  R).  All  the  nodes  in  L  have  committed  to  Xg  by  the  end 
of  round  r.  Thus,  in  round  r-|-l  or  earlier,  node  u  may  receive  messages 
containing  values  different  from  Xg  only  from  nodes  in  F'.  Since  there 
are  at  most  /  incoming  neighbors  of  u  in  F',  node  u  cannot  commit  to 
any  value  different  from  Xg  in  round  r  -|-  1. 

•  Termination: 
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By  the  condition  in  Theorem  1,  there  exists  a  node  w  in  R  such  that 
(i)  node  w  has  an  incoming  link  from  s,  or  (ii)  node  w  has  incoming 
links  from  /  +  1  nodes  in  L.  In  case  (i),  node  w  will  commit  to  Xg  on 
receiving  Xg  from  node  s  in  round  r  +  1  (in  fact,  r  +  1  in  this  case  must 
be  1).  In  case  (ii),  hrst  observe  that  all  the  nodes  in  L  from  whom 
node  w  has  incoming  links  have  committed  to  Xg  (by  dehnition  of  L). 
Then,  node  w  will  be  able  to  commit  to  Xg  after  receiving  messages 
from  at  least  /  +  1  incoming  neighbors  in  L,  since  all  nodes  in  L  have 
committed  to  Xg  by  the  end  of  round  r  by  the  dehnition  of  L.^  Thus, 
node  w  will  commit  to  Xg  in  round  r  +  1. 

This  completes  the  proof.  □ 

3.  Discussion 

This  section  presents  extensions  and  complexity  of  verifying  the  condition. 
Due  to  space  limitation,  please  refer  to  [11]  for  details. 

CPA  without  prior  knowledge  of  f .  Given  a  graph  G  that  can  tolerate  /- 
local  faults  (where  /  is  unknown),  we  construct  a  broadcast  algorithm  in  G 
without  usage  of  /.  The  core  idea  is  for  each  node  to  exhaustively  test  all 
possible  parameters  by  running  n  +  1  instances  of  CPA  algorithm  in  parallel. 

Other  Communieation  Model.  In  the  broadcast  model  [6,  1],  when  a  node 
transmits  a  value,  all  of  its  outgoing  neighbors  receive  this  value  identically. 

^  Since  node  w  did  not  commit  prior  to  round  r  +  1,  it  follows  that  at  least  one  node  in 
L  must  have  committed  in  round  r. 
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Thus,  no  node  can  transmit  mismatching  values  to  different  outgoing  neigh¬ 
bors.  In  the  asynchronous  model  [2],  the  algorithm  may  not  proceed  in 
rounds,  but  a  node  still  commits  to  value  x  either  on  receiving  the  value  di¬ 
rectly  from  s,  or  from  f  +  1  nodes.  Under  both  models,  condition  in  Theorem 
1  is  both  necessary  and  sufficient  for  the  correctness  of  CPA.  The  claim  for 
asynchronous  model  may  seem  to  contradict  the  FLP  result  [4].  However, 
our  claim  assumes  that  the  source  node  is  fault-free,  unlike  [4]. 

Complexity.  [7]  proved  that  it  is  NP-hard  to  examine  whether  CPA  is  correct 
in  a  given  undirected  graph.  The  condition  in  [7]  is  indeed  equivalent  to  our 
condition  (condition  in  Theorem  1)  in  undirected  graphs.  Therefore,  it  is 
NP-hard  to  examine  whether  a  given  graph  satishes  our  condition  or  not. 

4.  Conclusion 

In  this  paper,  we  explore  broadcast  in  arbitrary  network  using  the  CPA 
algorithm  in  /-local  fault  model.  In  particular,  we  provide  a  tight  necessary 
and  sufficient  condition  on  the  underlying  network  for  the  correctness  of  CPA. 
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